The Sarbanes-Oxley Act of 2002 (SOX), which is administered by the Securities and Exchange Commission, is record-retention legislation specifying which records are to be kept and for how long (at least five years). It doesn’t describe how to retain those records, just that they must be retained. IT departments of companies that fall under SOX are affected by it because these days, most records are electronic—and it includes all business records, electronic records, and e-mail messages.

For those businesses that must comply with SOX and are considering moving part or the entire IT department to the cloud, a quick reminder that even when third parties are involved and doing the work, any noncompliance or misrepresentations is still the responsibility of the primary company, not the organization contracted for cloud services.

The only way to ensure that the company selected for cloud services adheres to SOX regulations is through a Statement on Standards for Attestation Engagements (SSAE) 16 audit. The SSAE 16 auditing standards came from an enhancement to the Statement on Auditing Standards 70 reporting standard controls issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (CPAs). The SSAE 16 is basically an auditing report that states that the company has the necessary internal controls, processes, and procedures in place for the type of data and transactions it handles and for the degree of the financial impact it can cause to other organizations. The items audited can range from data-protection policies to physical security for the network to backup provisions and power redundancy.

The SSAE audit reports, known as Service Organization Control (SOC) reports, come in three versions:

SOC 1 Report. This is a report on controls that may be relevant to internal controls over financial reporting.

SOC 2 Report. This is a report based on existing SysTrust and WebTrust principles. It evaluates the information systems relevant to security, availability, processing integrity, and confidentiality. This report contains detailed testing information.

SOC 3 Report. This is a report also based on existing SysTrust and WebTrust principles but differs from the SOC 2 report in that it does not detail the testing and is general enough to be used for marketing.

The SOC 2 report is most frequently requested for publicly traded companies in industries such as payroll processing; loan servicing; medical claims processing; data center, colocation, or network-monitoring services; and Software as a Service.

When the company providing the service has had the SSAE 16 audit, it can basically market itself as “SOX certified” and make its SOC 3 report available as marketing material.

Only CPAs can perform the SSAE 16 audit and issue the SOC reports. When looking at cloud services marketing themselves as “SOX certified,” it is always a good idea to look at the SOC 3 report they use for marketing and see which CPA firm issued it. It would also be prudent to do some quick Google checking to make sure it’s a CPA firm that is not new to the SSAE 16 audits, but one that has been doing them for a while.

So, as long as the cloud services provider selected has been audited and SOX certified, placing a business with it should ensure that the business remains SOX compliant. A further protection is also stipulating in the contract that the company maintain its SOX certification to keep your business.

About the Author

Melodie Hawkins has more than 20 years of experience in IT—more if you count the early years spent with a mainframe and punch cards before running away screaming. She has worked in such industries as health care, mining, environmental, and federal government (civilian and defense). Her expertise is in IT security, networking, and software. Melodie is an analyst with Studio B.